Millions of vaccinated Americans — now maskless — surely can’t wait to rekindle their love affair with their iPhone’s facial recognition technology. Meanwhile, these same people are probably less eager for the bars, restaurants, and theaters they visit to collect that same facial data and other biometric information without their knowledge and sell it to third parties. Across the U.S., many states have begun enacting privacy laws to protect against what private businesses can do with biometric data. For the people of New York City, starting July 9, 2021, their wish will be granted.
On January 10, 2021, the New York City Council enacted a law (the “Biometric Identifier Information” law, hereinafter, “The Law”) requiring commercial establishments that collect “biometric identifier information” to prominently display signage that such information is being collected, and forbidding establishments from selling or sharing that information with others. The Law marks a significant development in restricting the use of biometric information, such as retina scans, fingerprints, and facial recognition, and creates new compliance considerations for the thousands of New York City venues eager to welcome their customers back after a difficult year.
The Law’s Two Main Requirements
The Law places two new rules on certain types of commercial establishments: (1) signage requirements if the establishment collects biometric information in the first place; and (2) a prohibition on the sale or exchange of any biometric information, without exception.
First, all “commercial establishments” (defined as entertainment venues, retail stores, and food and drink establishments) that collect, retain, convert, store, or share biometric information must place clear and conspicuous signs near all customer entrances notifying customers in plain language that such information is being collected.
Second, it will be unlawful for commercial establishments to sell, lease, trade, share in exchange for anything of value, or otherwise profit from the transaction of biometric identifier information.
The Law defines “biometric identifier information” broadly, encompassing any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
The Law exempts financial institutions from the signage requirement (but not from the prohibition on sale), and exempts government agencies, employees, and agents entirely.
Businesses using traditional CCTV systems may also breathe a sigh of relief. Establishments that collect biometric information through photographs or video but do not analyze it in order to identify individuals based on physiological or biological characteristics, and do not share it with third parties (other than law enforcement) are exempt from the signage requirement. Still, these businesses are prohibited from selling or otherwise sharing or exchanging this footage with third parties.
Remedies and Cure Period
The Law creates a private right of action for aggrieved persons, but gives establishments a 30-day cure period before an action may commence. When a potential plaintiff learns that an establishment has violated the signage requirement, they must provide written notice to the establishment at least 30 days prior to initiating any action. If the establishment cures the violation within 30 days and gives a written statement to the aggrieved person that the violation has been cured and that no further violation shall occur, no action may be initiated.
No prior written notice is required for actions alleging the illegal sale of biometric information.
Penalties under The Law range from $500 to $5,000 per violation, depending on whether the establishment was negligent or reckless, as well as injunctive relief at the court’s discretion. Notably, plaintiffs may also recover attorneys’ fees and costs, including expert witness fees.
The Law will go into effect on July 9, 2021. The full text may be found here. It’s a quick read, and a good way to pass the time waiting for a table at your favorite restaurant, which is, happily, crowded once again.
The post NYC Enacts Biometric Data Disclosure Rules and Restrictions appeared first on Data + Privacy + Cybersecurity Insights.